Google published a guide to building AI agents for cybersecurity. It contains no architecture, no metrics, no failure analysis, and no adversarial threat modeling. Instead it contains the assertion that Google is doing AI security. It offers four recommendations indistinguishable from any enterprise software deployment checklist since, oh I don’t know, 2005.

This matters, because Google is claiming an authoritative voice, stepping up and then… whoops.

The danger isn’t that Google is wrong, per se. It’s more like they are having a wardrobe malfunction, that their advice is insufficient while dressed as comprehensive.

When Google says “here’s how we do it,” we’re all here waiting for Google’s actual methodology to keep us safe and warm. Then we’re left cold and exposed.

Examples?

1. The piece recommends “quality agents” to verify other AI agents. If your verifier shares architectural assumptions with the system it’s checking, you’ve added complexity without adding assurance. You’ve built a system that fails confidently. I’ve written and spoken about this many times, including a recent IEEE article on integrity breaches. When multiple systems make the same error, it’s not redundancy because it’s correlated failure. That can be worse than no safety net, because you operate as if you have one. Flawed agents to cover for flawed agents is how Ariane 5 blew up.
   

   A 64-bit velocity calculation was converted to a 16-bit output, causing an error called overflow. The corrupted data triggered catastrophic course corrections that forced the US $370 million rocket to self-destruct.

2. Their success metrics center on analyst trust and feature requests. Trust measures psychology, which is much broader and more interesting than narrow technical visions of control. A team can be enthusiastic about a tool that’s completely missing threats. The relevant question—what did the agent miss that humans would have caught—goes unasked.
3. Most remarkably for a security-focused guide: no discussion of attacks on the agents themselves. Prompt injection. Adversarial inputs. Training data poisoning. Any autonomous system with security permissions is a high-value target. Treating AI agents as trusted infrastructure rather than attack surface is the foundational mistake I’ve spent years warning about at RSA. If you aren’t automatically asking whether your security agent is a double-agent, you aren’t ready to deploy agents.

The “how we do it” framing implies authority as well as a form of completeness. It suggests that you should be following Google to take the steps to go where they must be already. But that doesn’t make sense when you read the text. It gets you to where you either already know that’s not how things are done, or you aren’t getting it done.

Confidence, unearned, is the actual “intelligence” vulnerability. Google just demonstrated it.